MITRE ATT&CK Technique
Description
**This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).** Adversaries may use the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to execute on remote systems as part of lateral movement. COM is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) DCOM is transparent middleware that extends the functionality of Component Object Model (COM) (Citation: Microsoft COM) beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019) Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. (Citation: Microsoft COM ACL)(Citation: Microsoft Process Wide Com Keys)(Citation: Microsoft System Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM. Adversaries may abuse COM for local command and/or payload execution. Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and VBScript.(Citation: Microsoft COM) Specific COM objects also exists to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018) Adversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications (Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents (Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1173) (DDE) execution directly through a COM created instance of a Microsoft Office application (Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '**This technique has been deprecated. Please use [Distributed '
'Component Object '
'Model](https://attack.mitre.org/techniques/T1021/003) and '
'[Component Object '
'Model](https://attack.mitre.org/techniques/T1559/001).**\n'
'\n'
'Adversaries may use the Windows Component Object Model (COM) '
'and Distributed Component Object Model (DCOM) for local code '
'execution or to execute on remote systems as part of lateral '
'movement. \n'
'\n'
'COM is a component of the native Windows application '
'programming interface (API) that enables interaction between '
'software objects, or executable code that implements one or '
'more interfaces.(Citation: Fireeye Hunting COM June 2019) '
'Through COM, a client object can call methods of server '
'objects, which are typically Dynamic Link Libraries (DLL) or '
'executables (EXE).(Citation: Microsoft COM) DCOM is '
'transparent middleware that extends the functionality of '
'Component Object Model (COM) (Citation: Microsoft COM) beyond '
'a local computer using remote procedure call (RPC) '
'technology.(Citation: Fireeye Hunting COM June 2019)\n'
'\n'
'Permissions to interact with local and remote server COM '
'objects are specified by access control lists (ACL) in the '
'Registry. (Citation: Microsoft COM ACL)(Citation: Microsoft '
'Process Wide Com Keys)(Citation: Microsoft System Wide Com '
'Keys) By default, only Administrators may remotely activate '
'and launch COM objects through DCOM.\n'
'\n'
'Adversaries may abuse COM for local command and/or payload '
'execution. Various COM interfaces are exposed that can be '
'abused to invoke arbitrary execution via a variety of '
'programming languages such as C, C++, Java, and '
'VBScript.(Citation: Microsoft COM) Specific COM objects also '
'exists to directly perform functions beyond code execution, '
'such as creating a [Scheduled '
'Task/Job](https://attack.mitre.org/techniques/T1053), '
'fileless download/execution, and other adversary behaviors '
'such as Privilege Escalation and Persistence.(Citation: '
'Fireeye Hunting COM June 2019)(Citation: ProjectZero File '
'Write EoP Apr 2018)\n'
'\n'
'Adversaries may use DCOM for lateral movement. Through DCOM, '
'adversaries operating in the context of an appropriately '
'privileged user can remotely obtain arbitrary and even direct '
'shellcode execution through Office applications (Citation: '
'Enigma Outlook DCOM Lateral Movement Nov 2017) as well as '
'other Windows objects that contain insecure '
'methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: '
'Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute '
'macros in existing documents (Citation: Enigma Excel DCOM '
'Sept 2017) and may also invoke [Dynamic Data '
'Exchange](https://attack.mitre.org/techniques/T1173) (DDE) '
'execution directly through a COM created instance of a '
'Microsoft Office application (Citation: Cyberreason DCOM DDE '
'Lateral Movement Nov 2017), bypassing the need for a '
'malicious document.',
'external_references': [{'external_id': 'T1175',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1175'},
{'description': 'Hamilton, C. (2019, June 4). Hunting '
'COM Objects. Retrieved June 10, '
'2019.',
'source_name': 'Fireeye Hunting COM June 2019',
'url': 'https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html'},
{'description': 'Microsoft. (n.d.). Component Object '
'Model (COM). Retrieved November 22, '
'2017.',
'source_name': 'Microsoft COM',
'url': 'https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx'},
{'description': 'Microsoft. (n.d.). DCOM Security '
'Enhancements in Windows XP Service '
'Pack 2 and Windows Server 2003 '
'Service Pack 1. Retrieved November '
'22, 2017.',
'source_name': 'Microsoft COM ACL',
'url': 'https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1'},
{'description': 'Microsoft. (n.d.). Setting '
'Process-Wide Security Through the '
'Registry. Retrieved November 21, '
'2017.',
'source_name': 'Microsoft Process Wide Com Keys',
'url': 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx'},
{'description': 'Microsoft. (n.d.). Registry Values '
'for System-Wide Security. Retrieved '
'November 21, 2017.',
'source_name': 'Microsoft System Wide Com Keys',
'url': 'https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx'},
{'description': 'Forshaw, J. (2018, April 18). '
'Windows Exploitation Tricks: '
'Exploiting Arbitrary File Writes for '
'Local Elevation of Privilege. '
'Retrieved May 3, 2018.',
'source_name': 'ProjectZero File Write EoP Apr 2018',
'url': 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html'},
{'description': 'Nelson, M. (2017, November 16). '
"Lateral Movement using Outlook's "
'CreateObject Method and '
'DotNetToJScript. Retrieved November '
'21, 2017.',
'source_name': 'Enigma Outlook DCOM Lateral Movement '
'Nov 2017',
'url': 'https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/'},
{'description': 'Nelson, M. (2017, January 5). '
'Lateral Movement using the MMC20 '
'Application COM Object. Retrieved '
'November 21, 2017.',
'source_name': 'Enigma MMC20 COM Jan 2017',
'url': 'https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/'},
{'description': 'Nelson, M. (2017, January 23). '
'Lateral Movement via DCOM: Round 2. '
'Retrieved November 21, 2017.',
'source_name': 'Enigma DCOM Lateral Movement Jan '
'2017',
'url': 'https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/'},
{'description': 'Nelson, M. (2017, September 11). '
'Lateral Movement using '
'Excel.Application and DCOM. '
'Retrieved November 21, 2017.',
'source_name': 'Enigma Excel DCOM Sept 2017',
'url': 'https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/'},
{'description': 'Tsukerman, P. (2017, November 8). '
'Leveraging Excel DDE for lateral '
'movement via DCOM. Retrieved '
'November 21, 2017.',
'source_name': 'Cyberreason DCOM DDE Lateral '
'Movement Nov 2017',
'url': 'https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom'}],
'id': 'attack-pattern--772bc7a8-a157-42cc-8728-d648e25c7fe7',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'lateral-movement'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'execution'}],
'modified': '2025-10-24T17:48:58.243Z',
'name': 'Component Object Model and Distributed COM',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': True,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '2.1'}